{ "id": "2dd67985-072d-415d-9a21-46440da77daa", "created_at": "2026-04-06T00:19:43.649896Z", "updated_at": "2026-04-10T03:38:19.049641Z", "deleted_at": null, "sha1_hash": "368fba00e58d5f2a5cb8f95c702dd8117cd4c02f", "title": "An overview of targeted attacks and APTs on Linux", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1145229, "plain_text": "An overview of targeted attacks and APTs on Linux\r\nBy GReAT\r\nPublished: 2020-09-10 · Archived: 2026-04-05 19:59:04 UTC\r\nPerhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its\r\npopularity, the platform for which we discover most APT attack tools. At the same time, there’s a widely held\r\nopinion that Linux is a secure-by-default operating system that isn’t susceptible to malicious code. It’s certainly\r\ntrue that Linux hasn’t faced the deluge of viruses, worms and Trojans faced by those running Windows systems\r\nover the years. However, there is certainly malware for Linux – including PHP backdoors, rootkits and exploit\r\ncode. Moreover, numbers can be misleading. The strategic importance of servers running Linux makes them an\r\nattractive target for attackers of all kinds. If an attacker is able to compromise a server running Linux, they not\r\nonly gain access to data stored on the server but can also target endpoints connected to it running Windows or\r\nmacOS – for example, through a drive-by download. Furthermore, Linux computers are more likely to be left\r\nunprotected, so that such a compromise might well go unnoticed. When the Heartbleed and Shellshock\r\nvulnerabilities were first reported in 2014, two major concerns were that compromised Linux servers could\r\nbecome an attacker’s gateway into a corporate network and could give an attacker access to sensitive corporate\r\ndata.\r\nThe Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced\r\npersistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private\r\nAPT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact intelreports@kaspersky.com.\r\nBarium\r\nWe first wrote about the Winnti APT group (aka APT41 or Barium) in 2013, when they were targeting mostly\r\ngaming companies for direct financial profit. Meanwhile, they grew their operations, developed tons of new tools\r\nand went for much more complex targets. MESSAGETAP is Linux malware used by this group to selectively\r\nintercept SMS messages from the infrastructure of telecoms operators. According to FireEye, the group deployed\r\nthis malware on SMS gateway systems as part of its operations to infiltrate ISPs and telecoms companies in order\r\nto build a surveillance grid.\r\nRecently, we discovered another suspected Barium/APT41 tool, written in the programming language Go (also\r\nknown as Golang) that implements a dynamic, C2-controlled packet corruption/network attack tool for Linux\r\nmachines. Although it’s not 100% clear if this is a tool developed for system administration tasks or if it is also\r\npart of the APT41 toolset, the fact that the functionality it offers can also be achieved through other system\r\nmanagement tools suggests that its purpose may not be legitimate. Also, its name on disk is rather generic and is\r\nunrelated to its functionality, again suggesting that it is potentially a covert tool used for carrying out certain types\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 1 of 10\n\nof destructive attacks. More details about this tool can be found in our private report “Suspected Barium network\r\ncontrol tool in GO for Linux”.\r\nCloud Snooper\r\nIn February 2020, Sophos published a report describing a set of malicious tools it attributes to a previously\r\nunknown threat actor called Cloud Snooper. The centerpiece is a server-oriented Linux kernel rootkit that hooks\r\nnetfilter traffic control functions in order to enable firewall-traversing covert C2 (command-and-control)\r\ncommunications. We analyzed and described the rootkit’s userland companion backdoor, dubbed ‘Snoopy’, and\r\nwere able to design detection and scanning methods to identify the rootkit at scale. We also discovered more\r\nsamples, as well as targeted servers in Asia. We believe that this evolved toolset might have been in development\r\nsince at least 2016.\r\nEquation\r\nWe uncovered the Equation group in 2015. This is a highly sophisticated threat actor that has been engaged in\r\nmultiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. For\r\nmany years this threat actor interacted or worked together with other powerful APT groups, for projects such as\r\nStuxnet and Flame. The group has a powerful arsenal of implants. Among those we found were:\r\n‘EQUATIONLASER’, ‘EQUATIONDRUG’, ‘DOUBLEFANTASY’, ‘TRIPLEFANTASY’, ‘FANNY’ and\r\n‘GRAYFISH’. The innovations of the Equation group aren’t limited to the Windows platform. The group’s\r\nPOSIX-compliant codebase allows for parallel developments on other platforms. In 2015, we came by the early-stage DOUBLEFANTASY malware for Linux. This implant collects system information and credentials and\r\nprovides generic access to an infected computer. Given the role this module plays in the infection lifecycle, it\r\nwould suggest the presence of analogous later-stage, more sophisticated implants, although we weren’t able to\r\nfind any.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 2 of 10\n\nHackingTeam\r\nHackingTeam was an Italian information technology company that developed and sold intrusion and so called\r\n“legal surveillance software” to governments, law enforcement agencies and businesses around the world.\r\nUnfortunately for them, they were hacked and suffered a data breach in 2015, at the hands of the activist known as\r\nPhineas Phisher. The subsequent leak of 400GB of stolen company data, including source code and customer\r\ninformation, allowed these tools to be acquired, adapted and used by threat actors around the world, such as\r\nDancingSalome (aka Callisto). The leaked tools included a zero-day exploit for Adobe Flash (CVE-2015-5119) as\r\nwell as sophisticated platforms capable of providing remote access, keylogging, general information recording and\r\nexfiltration, and perhaps most notably, the ability to retrieve Skype audio and video frames directly from memory,\r\nbypassing stream encryption. The RCS (Remote Control System) malware (aka Galileo, Da Vinci, Korablin,\r\nMorcut and Crisis) includes multiple components, including desktop agents for Windows, macOS and perhaps\r\nunsurprisingly… Linux.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 3 of 10\n\nLazarus\r\nIn late 2018, we discovered a previously unknown malicious framework that we named MATA internally. This\r\nframework was used to target commercial companies in Korea, India, Germany and Poland. While we weren’t\r\nable to find code overlaps with any other known actor, the Kaspersky Threat Attribution engine showed code\r\nsimilarities with Manuscrypt, complex malware used by Lazarus (aka Hidden Cobra). This framework, as with\r\nearlier malware developed by Lazarus, included a Windows backdoor. However, we also found a Linux variant\r\nthat we believe was designed for networking devices.\r\nIn June 2020, we analyzed new macOS samples linked to Lazarus Operation AppleJeus and TangoDaiwbo\r\ncampaigns, used in financial and espionage attacks. The samples had been uploaded to VirusTotal. The uploaded\r\nfiles also included a Linux malware variant that included similar functionality to the macOS TangoDaiwbo\r\nmalware. These samples confirm a development that we had highlighted two years earlier – that the group was\r\nactively developing non-Windows malware.\r\nSofacy\r\nSofacy (aka APT28, Fancy Bear, STRONTIUM, Sednit and Tsar Team) is a highly active and prolific APT threat\r\nactor. From its high-volume zero-day deployment to its innovative, broad malware set, Sofacy is one of the top\r\ngroups that we monitor. Among the tools in the group’s arsenal is SPLM (also known as CHOPSTICK and\r\nXAgent), a second-stage tool used selectively against targets around the world. Over the years, Sofacy has\r\ndeveloped modules for several platforms, including, in 2016, modules for Linux, detected as ‘Fysbis’. The\r\nconsistent artefacts seen over the years and across Windows, macOS, iOS and Linux suggests that the same\r\ndevelopers, or a small core team, is modifying and maintaining the code.\r\nThe Dukes\r\nThe Dukes is a sophisticated threat actor that was first documented by us in 2013, but whose tools have been used\r\nin attacks dating back to 2008. The group is responsible for attacks against targets in Chechnya, Ukraine, Georgia,\r\nas well as western governments and NGOs, NATO and individuals – the group is thought to be behind the hack of\r\nthe Democratic National Congress in 2016. The Dukes’ toolset includes a comprehensive set of malware\r\nimplementing similar functionality but coded in several different programming languages. The group’s malware\r\nand campaigns include PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke,\r\nHammerDuke and CloudDuke. At least one of these, SeaDuke, includes a Linux variant.\r\nThe Lamberts\r\nThe Lamberts is a highly sophisticated threat actor group which is known to possess a huge malware arsenal,\r\nincluding passive, network-driven backdoors, several generations of modular backdoors, harvesting tools and\r\nwipers for carrying out destructive attacks. We created a color scheme to distinguish the various tools and\r\nimplants used against different victims around the world.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 4 of 10\n\nLamberts discovery timeline\r\nIn 2017, we published an overview of the Lamberts family; and further updates (GoldLambert, SilverLambert,\r\nRedLambert, BrownLambert) are available to customers of our threat intelligence reports. The focus of the\r\nvarious Lamberts variants is definitely Windows. Nevertheless, signatures that we created for Green Lambert for\r\nWindows also triggered on a macOS variant of Green Lambert that was functionally similar to the Windows\r\nversion. In addition, we also identified samples of the SilverLambert backdoor compiled for both Windows and\r\nLinux.\r\nTsunami backdoor\r\nTsunami (aka Kaiten) is a UNIX backdoor used by multiple threat actors since it was first seen in the wild in 2002.\r\nThe source code was made public some years ago; and there are now more than 70 variants. The source code\r\ncompiles smoothly on a wide range of embedded devices; and there are versions for ARM, MIPS, Sparc and Cisco\r\n4500/PowerPC. Tsunami remains a threat for Linux-based routers, DVRs and the increasing number of IoT\r\n(internet of things) devices. In 2016, a variant of Tsunami was used in the Linux Mint hack, where an unknown\r\nthreat actor compromised the Linux Mint distribution ISOs to include a backdoor. We also observed the use of the\r\nTsunami backdoor to surgically target a number of cryptocurrency users on Linux.\r\nTurla\r\nTurla (aka Uroboros, Venomous Bear and Waterbug) is a prolific Russian-speaking group known for its covert\r\nexfiltration tactics such as the use of hijacked satellite connections, water-holing of government websites, covert\r\nchannel backdoors, rootkits and deception tactics. This threat actor, like other APT groups, has made significant\r\nchanges to its toolset over the years. Until 2014, every malware sample used by Turla that we had seen was\r\ndesigned for 32- or 64-bit versions of Windows.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 5 of 10\n\nThen in December 2014, we published our report on Penguin Turla, a Linux component in the Turla arsenal. This\r\nis a stealth backdoor that didn’t require elevated privileges, i.e. administrator or root rights. Even if someone with\r\nlimited access to the system launches it, the backdoor can intercept incoming packets and run commands from the\r\nattackers on the system while maintaining stealth. It is also rather hard to uncover, so if it’s installed on a\r\ncompromised server, it could sit there unnoticed for a long time. Further research on Penguin Turla revealed that\r\nits roots stretch back to the Moonlight Maze operation in the mid-1990s. In May this year, researchers from\r\nLeonardo published a report about Penguin_x64, a previously undocumented variant of the Penguin Turla Linux\r\nbackdoor. Based on this report, we generated network probes that detect Penquin_x64 infected hosts at scale,\r\nallowing us to discover a couple dozen infected servers in Europe and the US, as recent as July 2020. We believe\r\nthat, following public documentation of GNU/Linux tools, Turla may have been repurposing Penguin to conduct\r\noperations other than traditional intelligence gathering.\r\nTwo-Sail Junk\r\nIn January 2020, a watering hole was discovered that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong, based on the\r\ncontent of the landing page. For the time being, until we can link the campaign to a known group, we have given\r\nthe name Two-Sail Junk to the threat actor behind this implant. However, while our public report focused on the\r\niOS implant, the project is broader than previously thought, supporting an Android implant, and probably\r\nsupporting implants for Windows, Linux and MacOS.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 6 of 10\n\nWellMess\r\nIn March 2020, we began to actively track new C2 servers associated with malware commonly referred to as\r\nWellMess, indicating a potentially massive new wave of activity. This malware was initially documented by\r\nJPCERT in July 2018 and has been sporadically active since then. There were rumors that hint at a possible\r\nconnection with CozyDuke (aka APT29), along with speculation that the current activity was focused on the\r\nhealthcare industry, although we were unable to verify either claim. WellMess is a Remote Access Trojan, written\r\nin .NET and Go (Golang), cross-compiled to be compatible with both Windows and Linux.\r\nWildNeutron\r\nWe first published about WildNeutron in 2015, together with our colleagues from Symantec, who call it Morpho\r\nor Butterfly. This group, which rose to prominence with their 2012-2013 attacks on Twitter, Microsoft, Apple and\r\nFacebook, are one of the most elusive, mysterious and dynamic we have seen. Their arsenal included many\r\ninteresting and innovative tools, such as LSA backdoors or IIS plugins, coupled with both zero-day-based and\r\nphysical deployment. Unsurprisingly, in several known attacks WildNeutron used a custom Linux backdoor as\r\nwell.\r\nZebrocy\r\nZebrocy is custom malware that we have been tracking since 2015. The group using this malware started as a\r\nsubset of Sofacy, but also has similarities and overlaps with other APT groups. The group has developed malware\r\nin several languages, including Delphi, AutoIT, .NET, C#, PowerShell and Go. Zebrocy has mainly targeted\r\nCentral Asian government-related organizations, both in-country and in remote locations. The group makes\r\nextensive use of spear phishing to compromise Windows endpoints. However, its backdoors are configured to\r\ncommunicate directly with IP-assigned web server hosts over port 80; and the group seems to favor Linux for this\r\npart of its infrastructure – specifically, Apache 2.4.10 running on Debian Linux.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 7 of 10\n\nRecommendations for protecting Linux systems\r\nOne of the main reasons that Linux systems go unprotected is a false sense of security from using Linux instead of\r\nthe far more popular (and more targeted) Windows. Nevertheless, we hope all the aforementioned points are\r\nconvincing enough for you to start securing your Linux-based machines in a serious way.\r\nThe very first recommendation is to maintain a list of trusted sources of your software. Think about this in the\r\nsame way as the recommended approach to Android or iOS apps – only installing applications from official\r\nrepositories. In the Linux world we enjoy more freedom: for example, even if you are using Ubuntu, you’re not\r\nrestricted only to Canonical’s own repository. Any .DEB file, or even application source code from GitHub, is at\r\nyour service. But please choose these sources wisely. Don’t just blindly follow instructions like “Run this script\r\nfrom our server to install”; or “curl https://install-url | sudo bash” – which is a security nightmare.\r\nPlease also be mindful of the secure way to get applications from these trusted repositories. Your channels to\r\nupdate the apps have to be encrypted using HTTPS or SSH protocols. Besides your trust in software sources and\r\nits delivery channel, it’s critical for updates to arrive in a timely fashion. Most modern Linux flavors are able to\r\ndo this for you, but a simple cron script would help you to stay more protected and to get all the patches as soon as\r\nthey are released by developers.\r\nThe next thing we would recommend is checking network-related settings. With commands like “netstat -a” you\r\ncould filter out all unnecessary opened ports on your host. Please avoid network applications you really don’t\r\nneed or don’t use to minimize your network footprint. Also, it would be strongly recommended to properly set up\r\nthe firewall from your Linux distributive, to filter traffic and store the host’s network activity. It’s also a very\r\ngood idea not to go online directly, but through NAT.\r\nTo continue with the network-related security rules, we recommend protecting your locally stored SSH keys\r\n(used for your network services) using passwords at least. In more “paranoid” mode you could even store the\r\nkeys on external protected storage, like tokens from any trusted vendor. On the server side of connections,\r\nnowadays it’s not that hard to set up multi-factor authentication for SSH sessions, like the messages to your\r\nphone or other mechanisms such as authenticator apps.\r\nSo far, our recommendations have covered software sources, application delivery channel, avoiding unnecessary\r\nnetwork footprint and protection of encryption keys. One more idea we recommend for monitoring threats you\r\ncouldn’t find at the filesystem level is to keep and analyze the network activity logs. You could install and use\r\nan out-of-band network tap to independently monitor and analyze the network communications of your Linux\r\nsystems.\r\nAs part of your threat model, you need to consider the possibility that, despite all the aforementioned measures,\r\nattackers can compromise your protection. Think about the next protection step in terms of an attacker’s\r\npersistence in the system. They will probably make changes to be able to start their Trojan automatically after the\r\nsystem reboots. So, you need to regularly monitor the main configuration files as well as the integrity of\r\nsystem binaries, just in case of file viruses. The logs mentioned above for monitoring network communication, is\r\nfully applicable here: the Linux auditing system collects system calls and file access records. Additional\r\ndaemons such as “osquery” can be used for the same task. . Any suspicious files, URLs, and IP addresses can be\r\nchecked at Kaspersky Threat Intelligence Portal.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 8 of 10\n\nPhysical security of devices is also important. It doesn’t matter how much attention you pay to network and\r\nsystem level hardening if your laptop ends up in an attacker’s hands and you haven’t taken steps to protect it from\r\nthis attack vector. You should consider full disk encryption and safe boot mechanisms for physical security. A\r\nmore spy-like approach would be to place tamper-evident security tape on your most critical hardware.\r\nDedicated solution with Linux security can simplify the protection task: web threat protection detects malicious\r\nand phishing websites; network threat protection detects network attacks in incoming traffic; behavior analysis\r\ndetects malicious activity, while device control allows management of connected devices and access to them.\r\nOur final recommendation relates to Docker. This is not a theoretical threat: infection of containers is a very real\r\nissue. Containerization doesn’t provide security by itself. Some containers are quite isolated from the host, but\r\nnot all – network and file system interfaces exist in them and in most cases there are bridges between physical\r\nand containerized worlds.\r\nTherefore, you can use security solution that allows to add security into development process. Kaspersky Hybrid\r\nCloud Security includes integration with CI/CD platforms, such as Jenkins, through a script to scan Docker\r\nimages for malicious elements at different stages.\r\nTo prevent supply-chain attacks, On-Access Scanning (OAS) and On-Demand Scanning (ODS) of containers,\r\nimages, and local and remote repositories can be used. Namespace monitoring, flexible mask-based scan scope\r\ncontrol and the ability to scan different layers of containers help to enforce secure development best practices.\r\nWe have broken down this list of recommendations into logical sections. Please bear in mind that, besides\r\napplying all the measures we have mentioned, you should also audit and check all the generated logs and any\r\nother messages regularly. Otherwise you could miss signs of intrusion. A final idea, for security enthusiasts, is to\r\nadopt active measures – to provide system penetration testing from time to time.\r\nSummary of recommendations:\r\nMaintain a list of trusted software sources, avoid using unencrypted update channels.\r\nDo not run binaries and scripts from untrusted sources. A widely advertised way to install programs with\r\ncommands like “curl https://install-url | sudo bash” is a security nightmare.\r\nMake sure your update procedure is effective. Set up automatic security updates.\r\nSpend time to set up your firewall properly: make sure it logs network activity, block all ports you don’t\r\nuse, minimize your network footprint.\r\nUse key-based SSH authentication, protect keys with passwords.\r\nUse 2FA and store sensitive keys on external token devices (e.g. Yubikey).\r\nUse an out-of-band network tap to independently monitor and analyze network communications of your\r\nLinux systems.\r\nMaintain system executable file integrity. Review configuration file changes regularly.\r\nBe prepared for insider/physical attacks: use full disk encryption, trusted/safe boot and put tamper-evident\r\nsecurity tape on your critical hardware.\r\nAudit the system, check logs for indicators of attacks.\r\nRun penetration tests on your Linux setup.\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 9 of 10\n\nUse a dedicated security solution for Linux with web and network protection, as well as features for\r\nDevOps protection.\r\nSource: https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nhttps://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/" ], "report_names": [ "98440" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "a653b7ac-97b5-465b-98cd-8713223b06a7", "created_at": "2023-01-06T13:46:38.592385Z", "updated_at": "2026-04-10T02:00:03.032867Z", "deleted_at": null, "main_name": "WildNeutron", "aliases": [ "Morpho", "Sphinx Moth" ], "source_name": "MISPGALAXY:WildNeutron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434783, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/368fba00e58d5f2a5cb8f95c702dd8117cd4c02f.pdf", "text": "https://archive.orkl.eu/368fba00e58d5f2a5cb8f95c702dd8117cd4c02f.txt", "img": "https://archive.orkl.eu/368fba00e58d5f2a5cb8f95c702dd8117cd4c02f.jpg" } }